Dynalink DL-WRX36 Askey RT5010W IPQ8072A technical discussion

Hello!, I bought Dynalink DL-WRX36 router from Amazon and upon opening model printed in the board is RT5010W, it look like is a rebranded Askey RT5010W
Specifications:
Wi-Fi 6 Dual-Band 4+4 (2.4GHz, 5GHz)
Qualcomm Hawkeye IPQ8072A
Qualcomm QCA8081 - 2.5GE WAN x 1
Qualcomm QCA8075 - 1GE LAN x 4
Qualcomm QCN5024 for 2.4 GHz 4x4 MIMO
Qualcomm QCN5054 for 5 GHz 4x4 MIMO
4-internal Antenna for 2.4 GHz
4-internal Antenna for 5 GHz
Question is, if this hardware maybe supported in the future?
Console log:

▒ormat:`Log Ty▒e - Time(microsec) - Message - Optional Info
Log Type: B`- Since Boot(Power On Reset),  D - Delta,  S - Statistic
S - QC_IMAGE_VERSION_STRING=BOOT.BF.3.3.1-00163
S , IMAGE_VARIANT_STRING=HAACANAZA
S - OEM_IMAGE_VERSION_STRING=CRM
S - Boot Config, 0x000002e5
B -       201 - PBL, Start
B -      2736 - bootable_media_detect_entry, Start
B -      4188 - bootable_media_detect_success, Start
B -      4193 - elf_loader_entry, Start
B -      6859 - auth_hash_seg_entry, Start
B -     44701 - auth_hash_seg_exit, Start
B -    106640 - elf_segs_hash_verify_entry, St!rt
B -    169494 - PBL, End
B -    180529 - SBL1, Start
B -    232410 - GCC [RstStat:0x10, RstDbg:0x600000] WDog Stat : 0x4
B -    238876 - pm_device_init, Start
B -    359961 - PM_SET_VAL:Skip
D -    120627 - pm_device_init, Delta
B -    362370 - pm_driver_init, Start
D -      5368 - pm_driver_init, Delta
B -    368745 - clock_init, Start
D -      2104 -▒▒▒▒}▒▒▒ѱ@Delta

B -    372740 - boot_flash_init, Start
D -     12566 - boot_fla3h_init, Delta
B -    388997 - boot_config_data_table_init, Start
D -      3080 - boot_config_data_table_init, Delta - (575 Bytes)
B -    396469 - Boot Setting :  0x00000618
B -    400404 - CDT version:2,Platform ID:8,Major ID:133,Minor ID:1,Subtype:5
B -    407510 - sbl1_ddr_set_params, Start
B -    411231 - CPR configuration: 0x30c
B -    414708 - cpr]init, Start
B -    417575 - Rail:0 Mode: 5 Voltage: 784000
B -    422669 - CL CPR settled at 736000mV
B -    425505 - Rail:1 Mode: 5 Voltage: 880000
B -    429775 - Rail:1 Mode: 7 Voltage: 888000
D -     16409 - cpr_init, Delta
B -    436577 - Pre_DDR_clock_init, Start
B -    440603 - Pre_DDR_clock_init, End
B -    443988 - DDR Type : PCDDR4
B -    4506)8 - do dDr sanity test, Start
D -      1067 - do ddr sanity test, Delta
B -    454511 - DDR: Start of HAL DDR Boot Training
B -    459147 - DDR: End of HAL DDR Boot Training
B -    464911 - DDR: Checksum to be stored on flash is 292371778
B -    475129 - Image Load, Start
D -    505629 - QSEE Image Loaded, Delta - (1378368 Bytes)
B -    980849 - Image L▒ad, Start
D -        61 ] SEC Image Loaded, Delta - (0 Bytes)
B -    988535 - Image Load, Start
D -    293989 - DEVCFG Image Loaded, Delta - (32488 Bytes)
B -   1282586 - Image Load, Start
D -    305213 - RPM Image Loaded, Delta - (93060 Bytes)
B -   1587860 - Image Load, Start
D -    369752 - APPSBL Image Loaded, Delta - (536590 Bytes)
B -   1957764 - QSEE Execution, Start
D -        91 - QSEE Execution, Delta
B -   1963559 - USB D+ check, Start
D -         0 - USB D+ check, Delta
B -   1969964 - SBL1, End
D -   1791723 - SBL1, Delta
S - Flash Throughput, 6728 KB/s  (2041753 Bytes,  303439 us)
S - DDR Frequency, 600 MHz
S - Core 0 Frequency, 1651 MHz


U-Boot 0.0.1-1-80112-CS (May 21 2021 - 09:29:10 +0800)

DRAM:  smem ram ptable found: ver: 1 len: 4
1 GiB
Led init ...
NAND:  Could not find nand_gpio in dts, using defaults
ONFI device found
ID = 1590aa2c
Vendor = 2c
Device = aa
qpic_nand: changing oobsize to 80 from 128 bytes
SF: Unsupported flash IDs: manuf ff, jedec ffff, ext_jedec ffff
ipq_spi: SPI Flash not found (bus/cs/speed/mode) = (0/0/48000000/0)
256 MiB
MMC:   sdhci: Node Not found, skipping initialization

*** Warning - bad CRC, using default environment

PCI0 is not defined in the device tree
PCI1 is not defined in the device tree
In:    serial@78B3000
Out:   serial@78B3000
Err:   serial@78B3000
mach▒d: 8850105
MMC Device 0 not found
eth5 MAC Address from ART is not valid
Hit any key to stop autoboot:  0
machid: 0x08850105 aqr_load:1
machid 0x08850105 no Aquantia phy.
call do_boot_signedimg()
******* check firmware img *****
ubi0: attaching mtd1
ubi0: scanning is finished
ubi0: attached mtd1 (name "mtd=0", size 97 MiB)
ubi0: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
ubi0: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
ubi0: VID header offset: 2048 (aligned 2048), data offset: 4096
ubi0: good PEBs: 776, bad PEBs: 0, corrupted PEBs: 0
ubi0: user volume: 3, internal volumes: 1, max. volumes count: 128
ubi0: max/mean erase counter: 2/0, WL threshold: 4096, image sequence number: 1346115567
ubi0: available PEBs: 0, total reserved PEBs: 776, PEBs reserved for bad PEB handling: 40
Read 2048 bytes from volume kernel to 44000000
NOT unsigned kernel FW header
Read 4184064 bytes from volume kernel to 44000000
Read 34607104 bytes from volume ubi_rootfs to 443fd040
******* OK *****
ubi0: detaching mtd1
ubi0: mtd1 is detached
ubi0: attaching mtd1
ubi0: scanning is finished
ubi0: attached mtd1 (name "mtd=0", size 97 MiB)
ubi0: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
ubi0: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
ubi0: VID header offset: 2048 (aligned 2048), data offset: 4096
ubi0: good PEBs: 776, bad PEBs: 0, corrupted PEBs: 0
ubi0: user volume: 3, internal volumes: 1, max. volumes count: 128
ubi0: max/mean erase counter: 2/0, WL threshold: 4096, image sequence number: 1346115567
ubi0: available PEBs: 0, total reserved PEBs: 776, PEBs reserved for bad PEB handling: 40
Read 0 bytes from volume kernel to 44000000
No size specified -> Using max size (4190208)
dtb_config_name: <config@rt5010w-d350-rev0>
## Loading kernel from FIT Image at 44000068 ...
   Using 'config@rt5010w-d350-rev0' configuration
   Trying 'kernel@1' kernel subimage
     Description:  ARM64 OpenWrt Linux-4.4.60
     Type:         Kernel Image
     Compression:  gzip compressed
     Data Start:   0x44000150
     Data Size:    3922320 Bytes = 3.7 MiB
     Architecture: AArch64
     OS:           Linux
     Load Address: 0x41080000
     Entry Point:  0x41080000
     Hash algo:    crc32
     Hash value:   4998f750
     Hash algo:    sha1
     Hash va▒ue:   515a49c6d0bfa0888e7c5eed9cf2ced0f09506a7
   Verifying Hash Integrity ... crc32+ sha1+ OK
## Loading fdt from FIT Image at 44000068 ...
   Using 'config@rt5010w-d350-rev0' configuration
   Trying 'fdt@rt5010w-d350-rev0' fdt subimage
     Description:  ARM64 OpenWrt rt5010w-d350 device tree blob
     Type:         Flat Device Tree
     Compression:  uncompressed
     Data Start:   0x443bdc2c
     Data Size:    82227 Bytes = 80.3 KiB
     Architecture: AArch64
     Hash algo:    crc32
     Hash value:   877a0dfe
     Hash algo:    sha1
     Hash value:   19595d50a1c0362b772db8f69b3dbd5773e444a0
   Verifying Hash Integrity ... crc32+ sha1+ OK
   Booting using the fdt blob at 0x443bdc2c
   Uncompressing Kernel Image ... OK
   Loading Device Tree to 4a3e8000, end 4a3ff132 ... OK
Could not find PCI in device tree
Using machid 0x8850105 from environment

Starting kernel ...

Jumping to AARCH64 kernel via monitor

Hi,

I also saw that pretty cheap device (for a ipq8074).

But I haven't found a firmware image that we could analyze.

And it looks they are checking the image during boot, that doesn't makes it easier...

call do_boot_signedimg()
******* check firmware img *****

NOT unsigned kernel FW header

Can you stop autoboot at this point ?

Hit any key to stop autoboot:  0

Yes , I can stop autoboot and input commands, though I only get lines of garbage characters after kernel boot.

IPQ807x#   printenv
baudrate=115200
bootcmd=bootipq
bootdelay=2
eth1addr=a4:00:63:32:3f:1c
eth2addr=a4:00:63:32:3f:1c
eth3addr=a4:00:63:32:3f:1c
eth4addr=a4:00:63:32:3f:1c
ethact=eth0
ethaddr=a6:87:39:92:9f:55
fdt_high=0x4A400000
fdtcontroladdr=4a971480
flash_type=2
machid=8850105
oobd=2021-10-29T02:48:46Z
soc_version_major=2
soc_version_minor=0
stderr=serial@78B3000
stdin=serial@78B3000
stdout=serial@78B3000

Environment size: 432/262140 bytes

IPQ807x# bdinfo
arch_number = 0x08850105
boot_params = 0x40000100
DRAM bank   = 0x00000000
-> start    = 0x40000000
-> size     = 0x40000000
eth0name    = eth0
ethaddr     = a6:87:39:92:9f:55
current eth = eth0
ip_addr     = <NULL>
baudrate    = 115200 bps
TLB addr    = 0x4A9C0000
relocaddr   = 0x4A900000
reloc off   = 0x00000000
irq_sp      = 0x4A77FA90
sp start    = 0x4A77FA80

IPQ807x# is_sec_boot_enabled
secure boot fuse is enabled

IPQ807x# smeminfo
flash_type:             0x2
flash_index:            0x0
flash_chip_select:      0x0
flash_block_size:       0x20000
flash_density:          0x100000
partition table offset  0x0
No.: Name             Attributes            Start             Size
  0: 0:SBL1           0x0000ffff              0x0         0x100000
  1: 0:MIBIB          0x0000ffff         0x100000         0x100000
  2: 0:BOOTCONFIG     0x0000ffff         0x200000          0x80000
  3: 0:BOOTCONFIG1    0x0000ffff         0x280000          0x80000
  4: 0:QSEE           0x0000ffff         0x300000         0x300000
  5: 0:QSEE_1         0x0000ffff         0x600000         0x300000
  6: 0:DEVCFG         0x0000ffff         0x900000          0x80000
  7: 0:DEVCFG_1       0x0000ffff         0x980000          0x80000
  8: 0:APDP           0x0000ffff         0xa00000          0x80000
  9: 0:APDP_1         0x0000ffff         0xa80000          0x80000
 10: 0:RPM            0x0000ffff         0xb00000          0x80000
 11: 0:RPM_1          0x0000ffff         0xb80000          0x80000
 12: 0:CDT            0x0000ffff         0xc00000          0x80000
 13: 0:CDT_1          0x0000ffff         0xc80000          0x80000
 14: 0:APPSBLENV      0x0000ffff         0xd00000          0x80000
 15: 0:APPSBL         0x0000ffff         0xd80000         0x100000
 16: 0:APPSBL_1       0x0000ffff         0xe80000         0x100000
 17: 0:ART            0x0000ffff         0xf80000          0x80000
 18: rootfs           0x0000ffff        0x7a00000        0x6100000
 19: 0:WIFIFW         0x0000ffff        0xdb00000         0x900000
 20: rootfs_1         0x0000ffff        0x1000000        0x6100000
 21: 0:WIFIFW_1       0x0000ffff        0x7100000         0x900000
 22: ubifs            0x0000ffff        0xe400000        0x1600000
 23: 0:ETHPHYFW       0x0000ffff        0xfa00000          0x80000
 24: certificate      0x0000ffff        0xfa80000         0x280000

IPQ807x# help
?       - alias for 'help'
aq_load_fw- LOAD aq-fw-binary
aq_phy_restart- Restart Aquantia phy
base    - print or set address offset
bdinfo  - print Board Info structure
bootipq - bootipq from flash device
bootm   - boot application image from memory
bootp   - boot image via network using BOOTP/TFTP protocol
bootz   - boot Linux zImage image from memory
canary  - test stack canary
chpart  - change active partition
cmp     - memory compare
cp      - memory copy
crc32   - checksum calculation
dcache  - enable or disable data cache
dhcp    - boot image via network using DHCP/TFTP protocol
dm      - Driver model low level access
echo    - echo args to console
env     - environment handling commands
erase   - erase FLASH memory
exectzt - execute TZT

exit    - exit script
false   - do nothing, unsuccessfully
fatinfo - print information about filesystem
fatload - load binary file from a dos filesystem
fatls   - list files in a directory (default /)
fatsize - determine a file's size
fdt     - flattened device tree utility commands
flash   - flash part_name
        flash part_name load_addr file_size

flasherase- flerase part_name

flinfo  - print FLASH memory information
fuseipq - fuse QFPROM registers from memory

go      - start application at address 'addr'
help    - print command description/usage
i2c     - I2C sub-system
icache  - enable or disable instruction cache
imxtract- extract a part of a multi-image
ipq_mdio- IPQ mdio utility commands
is_sec_boot_enabled- check secure boot fuse is enabled or not

itest   - return true/false on integer compare
loop    - infinite loop on address range
md      - memory display
mii     - MII utility commands
mm      - memory modify (auto-incrementing address)
mmc     - MMC sub system
mmcinfo - display MMC info
mtdparts- define flash/nand partitions
mtest   - simple RAM read/write test
mw      - memory write (fill)
nand    - NAND sub-system
nboot   - boot from NAND device
nm      - memory modify (constant address)
pci     - list and access PCI Configuration Space
ping    - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
protect - enable or disable FLASH write protection
reset   - Perform RESET of the CPU
run     - run commands in an environment variable
runmulticore- Enable and schedule secondary cores
saveenv - save environment variables to persistent storage
secure_authenticate- authenticate the signed image

setenv  - set environment variables
sf      - SPI flash sub-system
showvar - print local hushshell variables
sleep   - delay execution for some time
smeminfo- print SMEM FLASH information
source  - run script from memory
test    - minimal test like /bin/sh
tftpboot- boot image via network using TFTP protocol
tftpput - TFTP put command, for uploading files to a server
true    - do nothing, successfully
uart    - UART sub-system
ubi     - ubi commands
usb     - USB sub-system
usbboot - boot from USB device
version - print monitor, compiler and linker version

Unfortunately this is a game over:

secure boot fuse is enabled

This means secure boot is enabled, you would need the keys/certs to sign the self built image to get it working.

That means that the U-boot signature is checked for sure, but I wouldn't be surprised if you can load an initramfs image via network and bootm that.
Cause if that works, then you can simply change the bootcmd to manually boot whatever you want.
It really depends on how far they went with U-boot integration

@Gost6
You could try to boot an initramfs image from the AX9000 (https://github.com/robimarko/openwrt/suites/4203949237/artifacts/108573968)

All you need is a working tftp-server (another openwrt device etc.) Just set a static IP and copy the file openwrt-ipq807x-generic-xiaomi_ax9000-initramfs-fit-uImage.itb to the right tftp path.
Connect one of the lan-ports from the dynalink with the tftp-server via ethernet.

1. stop autoboot
2. setenv serverip
3. setenv ipaddr
4. tftpboot openwrt-ipq807x-generic-xiaomi_ax9000-initramfs-fit-uImage.itb
5. bootm

An then we will see if u-boot prevents booting that image or not.

I tried the initramfs image from the AX9000 and it boot in to openwrt, I can acces to the LuCI web interface, just not working the WAN port and WIFI .

[    0.000000] Booting Linux on physical CPU 0x0000000000 [0x410fd034]
[    0.000000] Linux version 5.10.75 (runner@fv-az83-855) (aarch64-openwrt-linux-musl-gcc (OpenWrt GCC 11.2.0 r0-50a8db7) 11.2.0, GNU ld (GNU Binutils) 2.37) #0 SMP Fri Oct 29 18:36:13 2021
[    0.000000] Machine model: Xiaomi AX9000
[    0.000000] Zone ranges:
[    0.000000]   DMA      [mem 0x0000000040000000-0x000000007fffffff]
[    0.000000]   DMA32    empty
[    0.000000]   Normal   empty
[    0.000000] Movable zone start for each node
[    0.000000] Early memory node ranges
[    0.000000]   node   0: [mem 0x0000000040000000-0x0000000040ffffff]
[    0.000000]   node   0: [mem 0x0000000041000000-0x000000004a3fffff]
[    0.000000]   node   0: [mem 0x000000004a400000-0x00000000510fffff]
[    0.000000]   node   0: [mem 0x0000000051100000-0x000000007fffffff]
[    0.000000] Initmem setup node 0 [mem 0x0000000040000000-0x000000007fffffff]
[    0.000000] On node 0 totalpages: 262144
[    0.000000]   DMA zone: 4096 pages used for memmap
[    0.000000]   DMA zone: 0 pages reserved
[    0.000000]   DMA zone: 262144 pages, LIFO batch:63
[    0.000000] psci: probing for conduit method from DT.
[    0.000000] psci: PSCIv1.0 detected in firmware.
[    0.000000] psci: Using standard PSCI v0.2 function IDs
[    0.000000] psci: MIGRATE_INFO_TYPE not supported.
[    0.000000] psci: SMC Calling Convention v1.0
[    0.000000] percpu: Embedded 20 pages/cpu s41112 r8192 d32616 u81920
[    0.000000] pcpu-alloc: s41112 r8192 d32616 u81920 alloc=20*4096
[    0.000000] pcpu-alloc: [0] 0 [0] 1 [0] 2 [0] 3 
[    0.000000] Detected VIPT I-cache on CPU0
[    0.000000] Built 1 zonelists, mobility grouping on.  Total pages: 258048
[    0.000000] Kernel command line:  root=/dev/ubiblock0_1
[    0.000000] Dentry cache hash table entries: 131072 (order: 8, 1048576 bytes, linear)
[    0.000000] Inode-cache hash table entries: 65536 (order: 7, 524288 bytes, linear)
[    0.000000] mem auto-init: stack:off, heap alloc:off, heap free:off
[    0.000000] Memory: 882080K/1048576K available (7102K kernel code, 838K rwdata, 1836K rodata, 8064K init, 300K bss, 166496K reserved, 0K cma-reserved)
[    0.000000] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=4, Nodes=1
[    0.000000] rcu: Hierarchical RCU implementation.
[    0.000000] rcu: 	RCU restricting CPUs from NR_CPUS=256 to nr_cpu_ids=4.
[    0.000000] 	Tracing variant of Tasks RCU enabled.
[    0.000000] rcu: RCU calculated value of scheduler-enlistment delay is 25 jiffies.
[    0.000000] rcu: Adjusting geometry for rcu_fanout_leaf=16, nr_cpu_ids=4
[    0.000000] NR_IRQS: 64, nr_irqs: 64, preallocated irqs: 0
[    0.000000] random: get_random_bytes called from start_kernel+0x350/0x558 with crng_init=0
[    0.000000] arch_timer: cp15 and mmio timer(s) running at 19.20MHz (virt/virt).
[    0.000000] clocksource: arch_sys_counter: mask: 0xffffffffffffff max_cycles: 0x46d987e47, max_idle_ns: 440795202767 ns
[    0.000006] sched_clock: 56 bits at 19MHz, resolution 52ns, wraps every 4398046511078ns
[    0.000163] Calibrating delay loop (skipped), value calculated using timer frequency.. 38.40 BogoMIPS (lpj=76800)
[    0.000179] pid_max: default: 32768 minimum: 301
[    0.000304] Mount-cache hash table entries: 2048 (order: 2, 16384 bytes, linear)
[    0.000318] Mountpoint-cache hash table entries: 2048 (order: 2, 16384 bytes, linear)
[    0.001691] rcu: Hierarchical SRCU implementation.
[    0.001835] dyndbg: Ignore empty _ddebug table in a CONFIG_DYNAMIC_DEBUG_CORE build
[    0.002262] smp: Bringing up secondary CPUs ...
[    0.002785] Detected VIPT I-cache on CPU1
[    0.002849] CPU1: Booted secondary processor 0x0000000001 [0x410fd034]
[    0.003405] Detected VIPT I-cache on CPU2
[    0.003446] CPU2: Booted secondary processor 0x0000000002 [0x410fd034]
[    0.004040] Detected VIPT I-cache on CPU3
[    0.004078] CPU3: Booted secondary processor 0x0000000003 [0x410fd034]
[    0.004152] smp: Brought up 1 node, 4 CPUs
[    0.004164] SMP: Total of 4 processors activated.
[    0.004173] CPU features: detected: 32-bit EL0 Support
[    0.004181] CPU features: detected: CRC32 instructions
[    0.004238] CPU features: emulated: Privileged Access Never (PAN) using TTBR0_EL1 switching
[    0.004247] CPU: All CPU(s) started at EL1
[    0.004268] alternatives: patching kernel code
[    0.011533] KASLR disabled due to lack of seed
[    0.011686] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 7645041785100000 ns
[    0.011711] futex hash table entries: 1024 (order: 4, 65536 bytes, linear)
[    0.011845] pinctrl core: initialized pinctrl subsystem
[    0.012883] NET: Registered protocol family 16
[    0.013322] DMA: preallocated 128 KiB GFP_KERNEL pool for atomic allocations
[    0.013361] DMA: preallocated 128 KiB GFP_KERNEL|GFP_DMA pool for atomic allocations
[    0.013397] DMA: preallocated 128 KiB GFP_KERNEL|GFP_DMA32 pool for atomic allocations
[    0.013937] thermal_sys: Registered thermal governor 'step_wise'
[    0.015616] cpuidle: using governor ladder
[    0.015847] NET: Registered protocol family 42
[    0.015993] ASID allocator initialised with 65536 entries
[    0.086340] usbcore: registered new interface driver usbfs
[    0.086406] usbcore: registered new interface driver hub
[    0.086457] usbcore: registered new device driver usb
[    0.086671] qcom_scm: convention: smc arm 64
[    0.087926] clocksource: Switched to clocksource arch_sys_counter
[    0.088831] NET: Registered protocol family 2
[    0.088958] IP idents hash table entries: 16384 (order: 5, 131072 bytes, linear)
[    0.089730] tcp_listen_portaddr_hash hash table entries: 512 (order: 1, 8192 bytes, linear)
[    0.089759] TCP established hash table entries: 8192 (order: 4, 65536 bytes, linear)
[    0.089846] TCP bind hash table entries: 8192 (order: 5, 131072 bytes, linear)
[    0.089992] TCP: Hash tables configured (established 8192 bind 8192)
[    0.090089] UDP hash table entries: 512 (order: 2, 16384 bytes, linear)
[    0.090127] UDP-Lite hash table entries: 512 (order: 2, 16384 bytes, linear)
[    0.090291] NET: Registered protocol family 1
[    0.090321] PCI: CLS 0 bytes, default 64
[    0.702196] workingset: timestamp_bits=46 max_order=18 bucket_order=0
[    0.705757] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[    0.705771] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
[    0.707057] qcom-qmp-phy 78000.phy: supply vdda-phy not found, using dummy regulator
[    0.707203] qcom-qmp-phy 78000.phy: supply vdda-pll not found, using dummy regulator
[    0.708178] qcom-qmp-phy 78000.phy: Registered Qcom-QMP phy
[    0.709219] qcom-qmp-phy 84000.phy: Registered Qcom-QMP phy
[    0.710186] qcom-qmp-phy 8e000.phy: Registered Qcom-QMP phy
[    0.710802] qcom-qusb2-phy 79000.phy: supply vdda-pll not found, using dummy regulator
[    0.710948] qcom-qusb2-phy 79000.phy: supply vdda-phy-dpdm not found, using dummy regulator
[    0.711099] qcom-qusb2-phy 79000.phy: Registered Qcom-QUSB2 phy
[    0.712216] qcom-pcie 10000000.pci: host bridge /soc/pci@10000000 ranges:
[    0.712263] qcom-pcie 10000000.pci:       IO 0x0010200000..0x00102fffff -> 0x0010200000
[    0.712290] qcom-pcie 10000000.pci:      MEM 0x0010220000..0x001fffffff -> 0x0010220000
[    1.831904] qcom-pcie 10000000.pci: Phy link never came up
[    1.832047] qcom-pcie 10000000.pci: PCI host bridge to bus 0001:00
[    1.832063] pci_bus 0001:00: root bus resource [bus 00-ff]
[    1.832075] pci_bus 0001:00: root bus resource [io  0x0000-0xfffff] (bus address [0x10200000-0x102fffff])
[    1.832086] pci_bus 0001:00: root bus resource [mem 0x10220000-0x1fffffff]
[    1.832126] pci 0001:00:00.0: [17cb:0302] type 01 class 0x060400
[    1.832149] pci 0001:00:00.0: reg 0x10: [mem 0x00000000-0x00000fff]
[    1.832223] pci 0001:00:00.0: PME# supported from D0 D3hot D3cold
[    1.837640] pci 0001:00:00.0: BAR 0: assigned [mem 0x10220000-0x10220fff]
[    1.837659] pci 0001:00:00.0: PCI bridge to [bus 01-ff]
[    1.839470] pcieport 0001:00:00.0: PME: Signaling with IRQ 104
[    1.840278] qcom-pcie 20000000.pci: host bridge /soc/pci@20000000 ranges:
[    1.840326] qcom-pcie 20000000.pci:       IO 0x0020200000..0x00202fffff -> 0x0020200000
[    1.840351] qcom-pcie 20000000.pci:      MEM 0x0020220000..0x002fffffff -> 0x0020220000
[    2.955905] qcom-pcie 20000000.pci: Phy link never came up
[    2.956034] qcom-pcie 20000000.pci: PCI host bridge to bus 0000:00
[    2.956050] pci_bus 0000:00: root bus resource [bus 00-ff]
[    2.956063] pci_bus 0000:00: root bus resource [io  0x100000-0x1fffff] (bus address [0x20200000-0x202fffff])
[    2.956073] pci_bus 0000:00: root bus resource [mem 0x20220000-0x2fffffff]
[    2.956111] pci 0000:00:00.0: [17cb:1002] type 01 class 0x060400
[    2.956133] pci 0000:00:00.0: reg 0x10: [mem 0x00000000-0x00000fff]
[    2.956211] pci 0000:00:00.0: PME# supported from D0 D3hot D3cold
[    2.961564] pci 0000:00:00.0: BAR 8: assigned [mem 0x20300000-0x204fffff]
[    2.961583] pci 0000:00:00.0: BAR 9: assigned [mem 0x20500000-0x206fffff 64bit pref]
[    2.961594] pci 0000:00:00.0: BAR 0: assigned [mem 0x20220000-0x20220fff]
[    2.961608] pci 0000:00:00.0: BAR 7: assigned [io  0x100000-0x100fff]
[    2.961620] pci 0000:00:00.0: PCI bridge to [bus 01-ff]
[    2.961630] pci 0000:00:00.0:   bridge window [io  0x100000-0x100fff]
[    2.961642] pci 0000:00:00.0:   bridge window [mem 0x20300000-0x204fffff]
[    2.961653] pci 0000:00:00.0:   bridge window [mem 0x20500000-0x206fffff 64bit pref]
[    2.963426] pcieport 0000:00:00.0: PME: Signaling with IRQ 106
[    2.964417] bam-dma-engine 704000.dma: num-channels unspecified in dt
[    2.964432] bam-dma-engine 704000.dma: num-ees unspecified in dt
[    2.969047] Serial: 8250/16550 driver, 2 ports, IRQ sharing disabled
[    2.969619] msm_serial 78b3000.serial: msm_serial: detected port #0
[    2.969657] msm_serial 78b3000.serial: uartclk = 3686400
[    2.969710] 78b3000.serial: ttyMSM0 at MMIO 0x78b3000 (irq = 22, base_baud = 230400) is a MSM
[    2.969737] msm_serial: console setup on port #0
[    3.826462] printk: console [ttyMSM0] enabled
[    3.831570] msm_serial: driver initialized
[    3.839513] loop: module loaded
[    3.840686] nand: device found, Manufacturer ID: 0x2c, Chip ID: 0xaa
[    3.842423] nand: Micron MT29F2G08ABBGAH4
[    3.849043] nand: 256 MiB, SLC, erase size: 128 KiB, page size: 2048, OOB size: 128
[    3.860476] 25 qcomsmem partitions found on MTD device qcom_nand.0
[    3.860510] Creating 25 MTD partitions on "qcom_nand.0":
[    3.866663] 0x000000000000-0x000000100000 : "0:sbl1"
[    3.873346] 0x000000100000-0x000000200000 : "0:mibib"
[    3.878195] 0x000000200000-0x000000280000 : "0:bootconfig"
[    3.882750] 0x000000280000-0x000000300000 : "0:bootconfig1"
[    3.888164] 0x000000300000-0x000000600000 : "0:qsee"
[    3.895408] 0x000000600000-0x000000900000 : "0:qsee_1"
[    3.900682] 0x000000900000-0x000000980000 : "0:devcfg"
[    3.903744] 0x000000980000-0x000000a00000 : "0:devcfg_1"
[    3.908901] 0x000000a00000-0x000000a80000 : "0:apdp"
[    3.914370] 0x000000a80000-0x000000b00000 : "0:apdp_1"
[    3.919315] 0x000000b00000-0x000000b80000 : "0:rpm"
[    3.924286] 0x000000b80000-0x000000c00000 : "0:rpm_1"
[    3.929032] 0x000000c00000-0x000000c80000 : "0:cdt"
[    3.934245] 0x000000c80000-0x000000d00000 : "0:cdt_1"
[    3.938938] 0x000000d00000-0x000000d80000 : "0:appsblenv"
[    3.944144] 0x000000d80000-0x000000e80000 : "0:appsbl"
[    3.949883] 0x000000e80000-0x000000f80000 : "0:appsbl_1"
[    3.954916] 0x000000f80000-0x000001000000 : "0:art"
[    3.959367] random: fast init done
[    3.964590] 0x000007a00000-0x00000db00000 : "rootfs"
[    4.038673] mtd: device 18 (rootfs) set to be root filesystem
[    4.039360] mtdsplit: error occured while reading from "rootfs"
[    4.043417] 0x00000db00000-0x00000e400000 : "0:wififw"
[    4.056111] 0x000001000000-0x000007100000 : "rootfs_1"
[    4.127870] 0x000007100000-0x000007a00000 : "0:wififw_1"
[    4.134874] 0x00000e400000-0x00000fa00000 : "ubifs"
[    4.151543] 0x00000fa00000-0x00000fa80000 : "0:ethphyfw"
[    4.152316] 0x00000fa80000-0x00000fd00000 : "certificate"
[    4.165745] spmi spmi-0: PMIC arbiter version v2 (0x20010000)
[    4.166591] pmd9655_s3: supplied by e-smps1-reg
[    4.170787] pmd9655_s4: supplied by e-smps1-reg
[    4.175202] pmd9655_ldo11: supplied by e-smps1-reg
[    4.180226] libphy: Fixed MDIO Bus: probed
[    4.184807] libphy: ipq4019_mdio: probed
[    4.225455] i2c /dev entries driver
[    4.230493] cpufreq: cpufreq_online: CPU0: Running at unlisted initial frequency: 800000 KHz, changing to: 1017600 KHz
[    4.231413] sdhci: Secure Digital Host Controller Interface driver
[    4.240112] sdhci: Copyright(c) Pierre Ossman
[    4.246245] sdhci-pltfm: SDHCI platform and OF driver helper
[    4.252689] remoteproc remoteproc0: cd00000.q6v5_wcss is available
[    4.257076] NET: Registered protocol family 10
[    4.262891] Segment Routing with IPv6
[    4.266855] NET: Registered protocol family 17
[    4.270596] Bridge firewalling registered
[    4.274891] 8021q: 802.1Q VLAN Support v1.8
[    4.290559] Freeing unused kernel memory: 8064K
[    4.316084] Run /init as init process
[    4.316105]   with arguments:
[    4.316108]     /init
[    4.316110]   with environment:
[    4.316113]     HOME=/
[    4.316115]     TERM=linux
[    4.453635] init: Console is alive
[    4.453735] init: - watchdog -
[    4.459315] kmodloader: loading kernel modules from /etc/modules-boot.d/*
[    4.460670] genirq: irq_chip msmgpio did not update eff. affinity mask of irq 111
[    4.468074] dwc3-qcom 8af8800.usb: IRQ hs_phy_irq not found
[    4.473302] dwc3-qcom 8af8800.usb: IRQ dp_hs_phy_irq not found
[    4.478679] dwc3-qcom 8af8800.usb: IRQ dm_hs_phy_irq not found
[    4.484576] dwc3-qcom 8af8800.usb: IRQ ss_phy_irq not found
[    4.496735] xhci-hcd xhci-hcd.1.auto: xHCI Host Controller
[    4.496776] xhci-hcd xhci-hcd.1.auto: new USB bus registered, assigned bus number 1
[    4.501570] xhci-hcd xhci-hcd.1.auto: hcc params 0x0220fe65 hci version 0x110 quirks 0x0000000002010010
[    4.509022] xhci-hcd xhci-hcd.1.auto: irq 113, io mem 0x08a00000
[    4.518428] xhci-hcd xhci-hcd.1.auto: xHCI Host Controller
[    4.524595] xhci-hcd xhci-hcd.1.auto: new USB bus registered, assigned bus number 2
[    4.529895] xhci-hcd xhci-hcd.1.auto: Host supports USB 3.0 SuperSpeed
[    4.537747] hub 1-0:1.0: USB hub found
[    4.544055] hub 1-0:1.0: 1 port detected
[    4.548008] usb usb2: We don't know the algorithms for LPM for this host, disabling LPM.
[    4.552099] hub 2-0:1.0: USB hub found
[    4.560075] hub 2-0:1.0: 1 port detected
[    4.565089] kmodloader: done loading kernel modules from /etc/modules-boot.d/*
[    4.577134] init: - preinit -
[    4.627354] random: jshn: uninitialized urandom read (4 bytes read)
[    4.640815] random: jshn: uninitialized urandom read (4 bytes read)
[    4.648975] random: jshn: uninitialized urandom read (4 bytes read)
[    7.708706] procd: - early -
[    7.708778] procd: - watchdog -
[    8.227996] procd: - watchdog -
[    8.228236] procd: - ubus -
[    8.232916] urandom_read: 3 callbacks suppressed
[    8.232922] random: ubusd: uninitialized urandom read (4 bytes read)
[    8.279783] random: ubusd: uninitialized urandom read (4 bytes read)
[    8.280007] random: ubusd: uninitialized urandom read (4 bytes read)
[    8.286028] procd: - init -
[    8.364353] urngd: v1.0.2 started.
[    8.378380] random: crng init done
[    8.378409] random: 1 urandom warning(s) missed due to ratelimiting
[    8.379505] kmodloader: loading kernel modules from /etc/modules.d/*
[    8.423897] ssdk_switch_device_num_init[1160]:INFO:ess-switch dts node number: 1
[    8.423985] ssdk_dt_get_switch_node[971]:INFO:ess-switch DT exist!
[    8.430378] ssdk_dt_parse_access_mode[857]:INFO:switch_access_mode: local bus
[    8.436363] ssdk_dt_parse_access_mode[870]:INFO:switchreg_base_addr: 0x3a000000
[    8.443569] ssdk_dt_parse_access_mode[871]:INFO:switchreg_size: 0x1000000
[    8.450691] ssdk_dt_parse_mac_mode[295]:INFO:mac mode = 0x0
[    8.457629] ssdk_dt_parse_mac_mode[304]:INFO:mac mode1 = 0xf
[    8.463010] ssdk_dt_parse_mac_mode[313]:INFO:mac mode2 = 0xff
[    8.468925] ssdk_dt_parse_phy_info[659]:INFO:[PORT 5] port_mac_sel = QGMAC_PORT
[    8.474580] ssdk_dt_parse_uniphy[332]:INFO:ess-uniphy DT exist!
[    8.481766] ssdk_dt_parse_intf_mac[800]:INFO:dp1 MAC a4:97:33:92:9f:19
[    8.487603] ssdk_dt_parse_intf_mac[800]:INFO:dp2 MAC a4:00:63:32:3f:1c
[    8.494200] ssdk_dt_parse_intf_mac[800]:INFO:dp3 MAC a4:00:63:32:3f:1c
[    8.500709] ssdk_dt_parse_intf_mac[800]:INFO:dp4 MAC a4:00:63:32:3f:1c
[    8.507220] ssdk_dt_parse_intf_mac[800]:INFO:dp5 MAC a4:00:63:32:3f:1c
[    8.513744] ssdk_plat_init start
[    8.581496] ssdk_gcc_clock_init[1033]:INFO:SSDK gcc clock init successfully!
[    8.582488] HPPE initializing...
[    8.587939] ssdk_phy_driver_init[326]:INFO:dev_id = 0, phy_adress = 24, phy_id = 0xffffffff phytype doesn't match
[    8.590834] malibu_phy_api_ops_init[2848]:INFO:qca probe malibu phy driver succeeded!
[    8.604697] regi_init[3567]:INFO:Initializing HPPE!!
[    8.831913] ssdk_ppe_reset_init[1265]:INFO:ppe reset successfully!
[    8.835142] qca_hppe_tdm_hw_init[684]:INFO:tdm setup num=96
[    8.837300] qca_hppe_portctrl_hw_init[110]:INFO:Hawkeye PPE port initializing
[   10.199987] ssdk_switch_register[1718]:INFO:Chip version 0x1500
[   10.200017] qca_link_polling_select[1315]:INFO:link-polling-required node does not exist
[   10.204714] ssdk_switch_register[1744]:INFO:polling is selected
[   10.213043] regi_init[3571]:INFO:Initializing HPPE Done!!
[   10.218752] regi_init[3631]:INFO:qca-ssdk module init succeeded!
[   10.226575] EDMA ver 1 hw init
[   10.230539] EDMA HW Reset completed succesfully
[   10.233216] Num rings - TxDesc:1 (23-23) TxCmpl:1 (7-7)
[   10.237603] RxDesc:1 (15-15) RxFill:1 (7-7)
[   10.247792] **********************************************************
[   10.247823] * NSS Data Plane driver
[   10.253618] **********************************************************
[   10.278298] qca-nss 39000000.nss: Direct firmware load for qca-nss0.bin failed with error -2
[   10.278335] qca-nss 39000000.nss: Falling back to sysfs fallback for: qca-nss0.bin
[   10.359742] nss_driver - fw of size 833304  bytes copied to load addr: 40000000, nss_id : 0
[   10.361716] Supported Frequencies - 
[   10.361723] 187.2 MHz 
[   10.366926] 748.8 MHz 
[   10.370726] 1.4976 GHz 
[   10.372886] 
[   10.377639] ffffffc008958900: set sdma ffffff8002c26e00
[   10.379390] ffffffc008958900: meminfo init succeed
[   10.401903] qca-nss 39400000.nss: Direct firmware load for qca-nss1.bin failed with error -2
[   10.401939] qca-nss 39400000.nss: Falling back to sysfs fallback for: qca-nss1.bin
[   10.418499] node size 2 # items 4
[   10.418531] memory: 40000000 1073741824 (avl 964321280) items 4 active_cores 2
[   10.420835] addr/size storage words 2 2 # words 4 in DTS, ddr size 1000000
[   10.427948] ffffffc008958900: nss core 0 booted successfully
[   10.441146] nss_driver - fw of size 292296  bytes copied to load addr: 40800000, nss_id : 1
[   10.444934] Supported Frequencies - 
[   10.445057] 187.2 MHz 
[   10.452219] 748.8 MHz 
[   10.455162] 1.4976 GHz 
[   10.457344] 
[   10.462100] ffffffc008960140: set sdma ffffff8003949f00
[   10.463810] ffffffc008960140: meminfo init succeed
[   10.468857] debugfs: Directory 'dynamic_if' with parent 'stats' already present!
[   10.473585] debugfs: File 'n2h' in directory 'strings' already present!
[   10.481129] debugfs: File 'drv' in directory 'strings' already present!
[   10.491612] node size 2 # items 4
[   10.494072] memory: 40000000 1073741824 (avl 964321280) items 4 active_cores 2
[   10.497556] addr/size storage words 2 2 # words 4 in DTS, ddr size 1000000
[   10.504674] ffffffc008960140: nss core 1 booted successfully
[   10.504914] PPP generic driver version 2.4.2
[   10.518080] NET: Registered protocol family 24
[   10.523639] Loading modules backported from Linux version v5.15-rc6-0-g519d81956ee2
[   10.525862] Backport generated by backports.git v5.15-rc6-1-0-gd44432d6
[   10.543065] xt_time: kernel timezone is -0000
[   10.570563] ath11k c000000.wifi: ipq8074 hw2.0
[   10.570756] remoteproc remoteproc0: powering up cd00000.q6v5_wcss
[   10.573961] remoteproc remoteproc0: Booting fw image IPQ8074/q6_fw.mdt, size 668
[   10.938372] remoteproc remoteproc0: remote processor cd00000.q6v5_wcss is now up
[   10.939964] ath11k c000000.wifi: qmi ignore invalid mem req type 3
[   10.945321] kmodloader: done loading kernel modules from /etc/modules.d/*
[   10.945440] ath11k c000000.wifi: chip_id 0x0 chip_family 0x0 board_id 0x294 soc_id 0xffffffff
[   10.957774] ath11k c000000.wifi: fw_version 0x250684a5 fw_build_timestamp 2021-07-13 10:57 fw_build_id QC_IMAGE_VERSION_STRING=WLAN.HK.2.5.0.1-01100-QCAHKSWPL_SILICONZ-1
[   10.967624] ath11k c000000.wifi: failed to fetch board data for bus=ahb,qmi-chip-id=0,qmi-board-id=660,variant=Xiaomi-AX9000 from ath11k/IPQ8074/hw2.0/board-2.bin
[   11.015336] ath11k c000000.wifi: failed to fetch board-2.bin or board.bin from IPQ8074/hw2.0
[   11.015377] ath11k c000000.wifi: failed to load board file: -12
[   11.022949] ath11k c000000.wifi: failed to load board data file: -12
[   13.302056] ECM init
[   13.302106] ECM database jhash random seed: 0x13d1fa40
[   13.304279] ECM init complete
[   13.804974] br-lan: port 1(eth0) entered blocking state
[   13.805005] br-lan: port 1(eth0) entered disabled state
[   13.809393] device eth0 entered promiscuous mode
[   13.821654] br-lan: port 2(eth1) entered blocking state
[   13.821686] br-lan: port 2(eth1) entered disabled state
[   13.826008] device eth1 entered promiscuous mode
[   13.835265] br-lan: port 3(eth2) entered blocking state
[   13.835757] br-lan: port 3(eth2) entered disabled state
[   13.841094] device eth2 entered promiscuous mode
[   13.849351] br-lan: port 4(eth3) entered blocking state
[   13.850778] br-lan: port 4(eth3) entered disabled state
[   13.856104] device eth3 entered promiscuous mode
[   33.284277] nss-dp 3a001400.dp3 eth2: PHY Link up speed: 1000
[   33.284358] br-lan: port 3(eth2) entered blocking state
[   33.289020] br-lan: port 3(eth2) entered forwarding state
[   33.294424] IPv6: ADDRCONF(NETDEV_CHANGE): br-lan: link becomes ready
[   35.811930] pmd9655_ldo11: disabling
[   89.604061] nss-dp 3a001400.dp3 eth2: PHY Link is down
[   89.604314] br-lan: port 3(eth2) entered disabled state

Ah that's good, that proofs robimarko was right, u-boot only checks the default booted image.

WIFI and WAN is not working, due to this needs device specific id's in the device tree.

So next think would be to fetch the used dts. Can you dump the rootfs partition in luci (system - backup /flash firmware - save mtdblock) and share the file with us?

Dump all partitions in luci and scp them to a save place is in general a good idea.

Unfortunately I get empty files using luci, same errors using the console.

root@OpenWrt:/# cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00100000 00020000 "0:sbl1"
mtd1: 00100000 00020000 "0:mibib"
mtd2: 00080000 00020000 "0:bootconfig"
mtd3: 00080000 00020000 "0:bootconfig1"
mtd4: 00300000 00020000 "0:qsee"
mtd5: 00300000 00020000 "0:qsee_1"
mtd6: 00080000 00020000 "0:devcfg"
mtd7: 00080000 00020000 "0:devcfg_1"
mtd8: 00080000 00020000 "0:apdp"
mtd9: 00080000 00020000 "0:apdp_1"
mtd10: 00080000 00020000 "0:rpm"
mtd11: 00080000 00020000 "0:rpm_1"
mtd12: 00080000 00020000 "0:cdt"
mtd13: 00080000 00020000 "0:cdt_1"
mtd14: 00080000 00020000 "0:appsblenv"
mtd15: 00100000 00020000 "0:appsbl"
mtd16: 00100000 00020000 "0:appsbl_1"
mtd17: 00080000 00020000 "0:art"
mtd18: 06100000 00020000 "rootfs"
mtd19: 00900000 00020000 "0:wififw"
mtd20: 06100000 00020000 "rootfs_1"
mtd21: 00900000 00020000 "0:wififw_1"
mtd22: 01600000 00020000 "ubifs"
mtd23: 00080000 00020000 "0:ethphyfw"
mtd24: 00280000 00020000 "certificate"
root@OpenWrt:/# dd if=/dev/mtdblock18 of=/tmp/rootfs.bin
[ 1088.220072] blk_update_request: I/O error, dev mtdblock18, sector 0 op 0x0:(READ) flags 0x80700 phys_seg 4 prio class 0
[ 1088.222219] blk_update_request: I/O error, dev mtdblock18, sector 0 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 0
[ 1088.229762] Buffer I/O error on dev mtdblock18, logical block 0, async page read
dd: /dev/mtdblock18: I/O error
root@OpenWrt:/# dd if=/dev/mtdblock20 of=/tmp/rootfs_1.bin
[ 1198.848596] blk_update_request: I/O error, dev mtdblock20, sector 0 op 0x0:(READ) flags 0x80700 phys_seg 4 prio class 0
[ 1198.850774] blk_update_request: I/O error, dev mtdblock20, sector 0 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 0
[ 1198.858274] Buffer I/O error on dev mtdblock20, logical block 0, async page read
dd: /dev/mtdblock20: I/O error

No idea, does that also happen on other partitions, 0:wififw for example?

I was able to save the rootfs images using this command cat /dev/mtd18 > /tmp/rootfs.bin
https://drive.google.com/drive/folders/1j3oOHNQ0BW3jHUtIwCVRPObWxtEHEpUy?usp=sharing
how to extract the data from this images? , I tried with binwalk but extract a 0.ubi image.

You should use the ubireader to extract the images and then you can use binwalk to extract the squashfs.

I'm not able to unsquash the image:

 ./unsquashfs 0.squashfs
Read on filesystem failed because EOF
read_block: failed to read block @0x80040000
read_id_table: failed to read id table block
FATAL ERROR: File system corruption detected

and dtb decompile isn't working either

invalid opcode

maybe this is related to image signing

What does binwalk say about the rootfs volume?
I wouldn't be surprised if its encrypted

It's looking for an external extractor sasquatch (which I don't have installed)

WARNING: Extractor.execute failed to run external extractor 'sasquatch -p 1 -le -d 'squashfs-root' '%e'': [Errno 2] No such file or directory: 'sasquatch', 'sasquatch -p 1 -le -d 'squashfs-root' '%e'' might not be installed correctly

WARNING: Extractor.execute failed to run external extractor 'sasquatch -p 1 -be -d 'squashfs-root' '%e'': [Errno 2] No such file or directory: 'sasquatch', 'sasquatch -p 1 -be -d 'squashfs-root' '%e'' might not be installed correctly
0             0x0             Squashfs filesystem, little endian, version 4.0, compression:xz, size: 35052614 bytes, 4956 inodes, blocksize: 262144 bytes, created: 2021-09-12 18:03:09

That's why I tried unsquashfs.

I mean just binwalk, without -e for extracting

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             Squashfs filesystem, little endian, version 4.0, compression:xz, size: 35052614 bytes, 4956 inodes, blocksize: 262144 bytes, created: 2021-09-12 18:03:09

Then it's not encrypted, if it was then it would have been a bunch of random crap.
But it could be a vendor modified version of Squashfs

@Gost6 did you pursue this further, in particular if it's possible to boot OpenWrt from NAND? Features and pricing for this device are indeed very tempting, if there'd be a way to change the boot command in a persistent way to boot unsigned (OpenWrt-) images from NAND.

We need the DTS, If anyone can figure out how extract it. I being trying to capture OTA updates URL without success,probably we need to wait ASKEY disclose the GPL code